ANALYZING CROSS-BORDER FLOW OF DATA UNDER DPDP BILL, 2022
The Editorial Column is authored by Harshit Kapoor and Shivi , Associate Editor and Copy Editor respectively, at RGNUL Financial and Mercantile Law Review.
‘Data is the new oil, the new gold’. This phrase well explains the importance of data in today’s world. The collection, processing, and storage of financial or personal data of clients and business organizations is the one thing that unites all the economies of the world. The protection of digital data in India has been a continuing concern nearly for the past decade. The sensitive and crucial data of people has been vulnerable so far and at mercy of different entities involved in the collection or/and processing of data. With no proper legal framework and only a few judicial pronouncements concerning the protection of data, issues concerning the protection and processing of digital personal data are on a rise. In pursuance of establishing a legal framework to deal with this mushrooming predicament, the government of India came up with multiple data protection bills in recent years. However, none could materialize due to several loopholes in the proposed laws.
Once again, the Ministry of Electronics and Information Technology (“MeitY”) has come up with the fourth version of such a bill, namely, the draft Digital Personal Data Protection Bill, 2022 (“DPDP Bill, 2022”) three months after withdrawing the previous draft, released in 2019.
The new version of the bill differs in several aspects from its previous versions. Earlier, the proposed regulator, Data Protection Authority had much more power with respect to regulation-making and adjudication. However, the DPDP Bill, 2022 reduces the powers of the proposed Data Protection Board of India as it is left with rule-making power only in 14 out of 22 clauses. The bill also differs with respect to data localization and the cross-border flow of data. Changes have been made to harmonize the interests of privacy and concerns of different industries. However, these changes beget several questions and issues which need to be addressed. In this article, the authors delve into the concept of cross border flow of data and discuss how the DPDP Bill, 2022 plans to regulate this flow. Further, the authors highlight the major issues and concerns revolving around data localization vis-à-vis the proposed DPDP Bill, 2022. The article also furnishes a comparative analysis of how different jurisdictions deal with the cross-border transfer of data.
2. CROSS-BORDER STORING OF DATA
Our online presence requires sizeable data to be collected and stored by the technology giants and the protection of this personal data is an important issue arising out of this boom in digitalization. Businesses in the digital economy are international, necessitating the transmission of personal data across borders. This transfer of data to another country or jurisdiction is known as the cross-border transfer of data and requires businesses to comply with the privacy laws of the jurisdiction of the transferor state.
India has now proposed a new data protection bill that permits the cross-border transfer of data to certain notified countries and territories. Section 17 of the bill proposes that the countries will be notified after ‘an assessment of such factors as the center may consider necessary’ and the following provision, Section 18 deals with the exceptions enumerated when the transfer will be exempted from the bill’s provisions. The bill is more in line with the data protection laws of Singapore, Australia, and the EU and does away with the earlier specific data localization provision for cross-border data transfer of sensitive and critical personal data that appeared in the previous drafts. It also provides for levying heavy penalties for any kind of non-compliance.
In comparison to the current bill, the bill introduced in 2018 was much more stringent and specified that the data fiduciaries must store at least one copy of personal data in data centers in India. However, exceptions have been provided. The 2019 and 2021 bills only described transfers for sensitive and critical personal data. The penalties for non-compliance were comparatively less stringent in the 2018 and 2019 bills and were limited to up to 15 crores or 4% of the total worldwide turnover in the last year, whichever is higher. The 2021 bill on the other hand left the penalty to be prescribed by the government.
3. CONCERNS SURROUNDING TRANSFER OF DATA OUTSIDE INDIA
Despite its attempt to do away with and alleviate the issues surrounding cross border flow of data, there still exist some issues which need deliberation. Section 17 of the draft bill provides for the transfer of data to countries that the government will notify after considering factors it deems necessary. Moreover, a data fiduciary can transfer data to such countries “in accordance with terms and conditions as may be specified” by the government. The bill does not lay down the factors the government needs to and should consider before notifying a country (as adequate or non-adequate) for the transfer of data. The bill is also silent on the terms and conditions that a fiduciary needs to comply with. Moreover, it does not lay down any concept of reciprocity or minimum standard of protection that the transferee needs to accord to the data transferred. Such open-ended law gives wide power to the government and recreates the issue of data security outside borders.
The provisions pertaining to cross border flow of data were allegedly too restrictive in the 2019 bill. However, this version has relaxed those restrictions to a scary extent. It has done away with the categorisation of data as sensitive or critical and puts it under the umbrella of personal data. This implies that personal data which included passwords, financial data, biometrics, caste, sexual orientation, etc will be treated in the same way as any other digital personal data. With no specific requirements for storage and processing such data (such as the requirement of explicit consent), the new bill poses a serious threat to such data and makes it vulnerable to misuse.
As of now, the IT Rules require a data transferor to ascertain whether the data transferee will accord the same level of protection to personal data or not. It allows the cross-border flow of data only when there is consent. However, in absence of any rules and restrictions for the transfer of data, the present bill makes way for the free and unrestricted flow of data outside borders, as long as there is consent or deemed consent of the data principal under Sections 7 and 8 of the bill, respectively.
4. POLICIES OF OTHER JURISDICTIONS
In the digital global economy, it is imperative for businesses to understand the principles pertaining to privacy laws. Various jurisdictions have dedicated data protection that permits the cross-border transfer of data on principles of adequacy, informed consent, contractual necessity, the interest of data subjects, and a state’s legal functions. European Privacy laws known as General Data Protection Regulations (GDPR) permit free flow cross-border transfer of data within EU countries. Additionally, the transfer of data to non-EU countries is also permissible provided the requirements mentioned in Chapter V of the GDPR are complied with. It allows permits to the countries that give an ‘adequate’ level of protection to data as provided within the EU. USA came up with a set of guidelines or principles to be followed by businesses receiving data from the EU known as the EU- US Privacy Shield framework. In the case of Schrems II, the Court of Justice of the European Union (“CJEU”) declared the Privacy Shield as an invalid mechanism due to non-fulfillment of the requirements enshrined in Art. 45(2)(a) of the GDPR and since then a long-awaited new framework i.e., Trans- Atlantic Data Privacy Framework was introduced in March 2022.
In Singapore, Personal Data Protection Act allows the transfer of data outside Singapore where the recipient can protect the data to the same standard as it would be protected in Singapore. Russia has a similar data-sharing framework. Even in the absence of a framework for data sharing, organizations planning to transfer data can choose to have their contracts governed by model clauses or Standard Contractual Clauses (or “SCC”) that have been approved by the data authorities of the nation where the data will be transferred. However, some countries like Switzerland would demand prior consent from the data protection authorities if the SCC’s terms are violated.
In case of inadequacy, data can still be transferred if the data principal consents to it after being appraised of the risks associated with it. For instance, the EU, UK, Mauritius, Vietnam, Australia, and Switzerland require that consent is obtained from data principals after appraising them about the associated risks and giving them the option to refuse such consent.
It is high time that India devises robust and efficient legislation to deal with the security of personal data. While it is understandable given the ever-evolving nature of the digital arena that no strait-jacket formula can be devised to deal with digital personal data and that the government will have to keep reviewing it from time to time, still it needs to lay down a strong foundation for protecting the interests of data principles and harmonizing their interests with those of different businesses.
The government must ensure that the data transferred to the other country or the international organization is allowed on the condition that they ensure an adequate level of protection for the data transferred. An independent authority must be set up by the government to decide the factors to determine such countries or territories outside of India to which a Data Fiduciary might transfer personal data. A mechanism should be provided for periodic review of the development in the notified country or organization and the list should be revised accordingly. Transfer of each data might not require any specific authorization, however, a request for consent should be presented to the data fiduciary specifying the purpose and transfer of data to another country for a specific reason. Data Fiduciaries should also be allowed to transfer data to another country provided they ensure appropriate safeguards specified by the center and on condition that enforceable data principal rights and effective legal remedies for data principal are available.